---
url: 'https://www.corbado.com/blog/passkeys-UK-overview'
title: 'Passkeys UK: An Overview [2026]'
description: 'Discover how the UK / Great Britain is advancing passkey adoption across banking, retail and digital IDs driven by regulation, security needs and user-friendly technology.'
lang: 'en'
author: 'Alex'
date: '2026-02-25T13:42:51.681Z'
lastModified: '2026-03-25T10:01:36.734Z'
keywords: 'passkeys UK, passwordless authentication Great Britain, UK digital identity, FIDO2 Uk, secure login UK, biometric login UK, digital ID framework UK, passkeys retail Great Britain, UK fintech security, multi-factor authentication UK'
category: 'Authentication'
---

# Passkeys UK: An Overview [2026]

## Key Facts

- UK fraud losses totaled £1.17 billion in 2024, with 3.13 million confirmed unauthorized
  fraud incidents, making phishing-resistant authentication a board-level priority.
- **Passkeys** use device-bound cryptographic credentials with biometric or PIN unlock,
  eliminating reusable secrets that underpin credential theft and phishing attacks.
- The NCSC explicitly recommends **FIDO2 MFA** (passkeys) for guessing resistance,
  phishing resistance and theft resistance, distinguishing them from weaker MFA methods
  like SMS OTP.
- GOV.UK One Login has reached over 13 million users across more than 120 services, with
  passkeys on its roadmap as a first-class sign-in method.
- Remote purchase fraud reached £399.6 million in 2024, driving UK financial institutions
  toward passkeys as a front-line control against credential abuse.

## 1. Introduction

In this article, we provide a concise overview of the current state of passkey
implementation in the United Kingdom. Passkeys represent the next generation of secure and
[user-friendly authentication](https://www.corbado.com/faq/passkey-user-experience-benefits-non-technical-audience),
moving beyond the well-known weaknesses of traditional passwords and many legacy MFA
methods.

The UK is a particularly interesting market because adoption is being shaped by a rare mix
of factors:

- a high-pressure fraud environment,
- strong national security guidance and
- [large-scale](https://www.corbado.com/blog/introducing-passkeys-large-scale-overview) modernization efforts
  across critical services.

The UK also stands out because passkeys are not only appearing through global consumer
platforms but are increasingly relevant for regulated and public-facing journeys. National
guidance from the National [Cyber Security Centre (NCSC)](https://www.ncsc.gov.uk/) has
helped set expectations around [phishing](https://www.corbado.com/glossary/phishing)-resistant authentication,
while [government](https://www.corbado.com/passkeys-for-public-sector) and [healthcare](https://www.corbado.com/passkeys-for-healthcare)
services have begun incorporating passkey support into their sign-in experiences,
accelerating public familiarity with the concept.

Economic incentives are hard to ignore. Fraud and account takeover remain persistent, and
organisations are under constant pressure to reduce friction and support costs without
weakening security. In that environment, passkeys are increasingly viewed as one of the
few approaches that can improve security and UX at the same time.

**In this article, we will address these five key questions:**

1. Why are passkeys especially relevant for the UK?
2. How is the UK’s regulatory and policy landscape driving
   [passkey adoption](https://www.corbado.com/blog/passkey-adoption-business-case)?
3. To what extent are financial institutions, [government](https://www.corbado.com/passkeys-for-public-sector)
   services, and retailers implementing passkeys?
4. What are the main challenges to scaling passkey usage nationwide and how can they be
   overcome?

## 2. Passkeys: what they are and why they matter in the UK

Before looking at regulation, industry rollouts, and
[public-sector](https://www.corbado.com/passkeys-for-public-sector) programs, it helps to align on what passkeys
are and why they matter in the UK context. Passkeys are not just a “new login feature”.
They are a shift in how online accounts are protected: away from shared secrets that can
be stolen or replayed, toward cryptographic credentials that are designed to resist
[phishing](https://www.corbado.com/glossary/phishing) and many common forms of account takeover.

### 2.1 Defining Passkeys

[Passkeys replace passwords](https://www.corbado.com/faq/do-passkeys-replace-passwords) with a secure,
cryptographic way to sign in using your device. Instead of typing a password, users
authenticate with a fingerprint, face recognition, or device PIN, and the device then uses
a private key to complete the login.

Key features of passkeys include:

- [**Phishing-resistance**](https://www.corbado.com/glossary/phishing-resistant-mfa) **by
  design:** The credential is bound to the specific website (relying party), making
  classic [phishing](https://www.corbado.com/glossary/phishing) sites ineffective.
- **No shared secret:** There is no password stored on a server that can be leaked in a
  database breach.
- **Device-based security:** The private key is protected by the device’s secure hardware
  (e.g., [secure enclave](https://www.corbado.com/glossary/secure-enclave) or TPM).
- **Biometric or PIN unlock:** Users authenticate with fingerprint, face recognition, or
  device PIN, improving both security and usability.
- **Support for**
  [**sync or device-bound models**](https://www.corbado.com/blog/device-bound-synced-passkeys)**:**
  Passkeys can either be synced across devices via credential managers or remain bound to
  a single device, depending on security and assurance requirements.

### 2.2 Why Passkeys matter specifically in the UK

The UK has plenty of the same problems that are also driving passkeys globally, like
phishing, password reuse, and the ongoing usability pain of logins. But what makes the UK
distinct is how these pressures show up in everyday, high-trust journeys:

- [banking](https://www.corbado.com/passkeys-for-banking) and [payments](https://www.corbado.com/passkeys-for-payment),
- citizen services, and
- [healthcare](https://www.corbado.com/passkeys-for-healthcare).

The country’s digital infrastructure, and weaknesses in authentication translate directly
into fraud, operational cost, and loss of trust in these sectors.

#### The Economic Context: Fraud at Scale and Credential Abuse

The most visible driver is the scale and persistence of financial crime. UK Finance
reported total losses of
[£1.17 billion in 2024, and the volume of unauthorised fraud incidents remains extremely high, with 3.13 million confirmed cases reported in 2024.](https://www.ukfinance.org.uk/news-and-insight/press-release/fraud-report-2025-press-release)
In practice, that means organisations are not only managing large losses, but also dealing
with high-frequency credential abuse, customer remediation, and the support burden that
comes with fragile authentication.

Passkeys address a core part of this problem by removing reusable secrets from the login
flow. When implemented well, they reduce the attack surface for phishing and credential
reuse, two mechanisms that continue to underpin many common account takeover patterns.

#### Aligning With the UK’s Digital Identity Direction

Passkeys also matter in the UK because sign-in modernisation is happening at citizen
scale. As [government](https://www.corbado.com/passkeys-for-public-sector) and
[healthcare](https://www.corbado.com/passkeys-for-healthcare) services upgrade their authentication journeys,
millions of people are becoming familiar with modern, passkey-style sign-in that relies on
built-in platform security rather than passwords. This growing exposure is shifting
expectations toward simpler, faster, and more phishing-resistant access across other
sectors.

More broadly, UK-wide identity modernization efforts, including the
[digital identity](https://www.corbado.com/blog/digital-identity-guide)
[trust framework](https://www.corbado.com/glossary/trust-framework), make passkeys a natural building block. In
the UK context, passkeys are not just a nicer login.

## 3. The Rollout Tracker: Who is Live? (UK)

UK organisations are steadily adopting passkeys to improve account security, reduce fraud,
and reduce reliance on passwords and
[SMS-based authentication](https://www.corbado.com/faq/sms-based-authentication-explained). Below is a snapshot
of the current UK landscape as of late 2025.

### 3.1 NHS Passkeys

The NHS is one of the earliest
[large-scale](https://www.corbado.com/blog/introducing-passkeys-large-scale-overview) government adopters of
passkeys in the UK, integrating them into the NHS login service.

Key characteristics:

- Passkeys available via NHS login for accessing health records and services
- Designed to replace SMS-based one-time codes over time
- Uses device-bound biometrics (Face ID / fingerprint) or device PIN
- Positioned as both a security and usability upgrade for patients

[NHS Login Help Centre](https://help.login.nhs.uk/manage/passkeys/)

### 3.2 GOV.UK Passkeys

The UK government has begun introducing passkeys across selected GOV.UK services as part
of a broader identity modernisation programme.

Key characteristics:

- Gradual replacement of SMS OTP and email verification
- Focus on high-assurance identity journeys
- Integrated into government identity platforms rather than standalone apps
- Long-term goal to reduce knowledge-based authentication

[National Cyber Security Centre Announcement](https://www.ncsc.gov.uk/news/government-adopt-passkey-technology-digital-services)

### 3.3 Revolut Passkeys

[Revolut](https://www.corbado.com/blog/revolut-passkeys) was among the earliest UK fintechs to deploy
[passkeys at scale](https://www.corbado.com/blog/introducing-passkeys-large-scale-overview).

Key characteristics:

- Biometric-backed [passkeys replace passwords](https://www.corbado.com/faq/do-passkeys-replace-passwords) and
  PINs
- Strong focus on fast, low-friction re-authentication
- Designed to reduce phishing and account takeover risk
- Integrated deeply into a mobile-first security model

[Revolut Help Centre](https://help.revolut.com/help/profile-and-plan/log-in-issues/what-are-passkeys/)

### 3.4 Virgin Media Passkeys

Virgin Media has introduced passkeys for customer account management.

Key characteristics:

- Passkeys available for online account access
- Focus on reducing [password resets](https://www.corbado.com/faq/passkeys-reduce-password-resets-otp-costs) and
  support volume
- Targets phishing and account takeover attacks
- Part of a broader [telecom](https://www.corbado.com/passkeys-for-telecom)-industry shift to FIDO-based
  authentication

[Virgin Media Account Security](https://www.virginmedia.com/help/security)

### 3.5 EE Passkeys

EE (BT Group) supports passkeys for managing customer accounts online.

Key characteristics:

- Passkeys reduce reliance on passwords and SMS verification
- Integrated into BT Group’s identity infrastructure
- Designed to improve consumer security with minimal friction

[EE Help & Security](https://www.ee.co.uk/help/security)

### 3.6 British Airways Passkeys

British Airways supports FIDO-certified authentication methods as part of its multi-factor
authentication strategy.

Key characteristics:

- Supports FIDO security keys and passkey-ready hardware
- Primarily positioned as MFA rather than full
  [password replacement](https://www.corbado.com/faq/do-passkeys-replace-passwords)
- Focused on protecting high-value loyalty and booking accounts
- Expected to evolve toward broader passkey usage

[British Airways Account Security](https://www.britishairways.com/en-gb/information/legal/security)

### 3.7 Luno Passkeys

The London-founded crypto exchange supports passkeys for both login and authentication
hardening.

Key characteristics:

- Passkeys supported for sign-in and MFA
- Designed for high-risk financial and crypto accounts
- Reduces phishing and credential compromise
- Aligns with regulatory expectations for strong authentication

[Luno Help Centre](https://guide.luno.com/hc/en-gb/articles/11035620246429)

### 3.8 Dext Passkeys

Dext (formerly Receipt Bank) has deployed passkeys for its business users.

Key characteristics:

- Reduces shared-password and credential reuse risks
- Protects access to sensitive accounting and financial data
- Positioned as an upgrade to traditional MFA

[Dext Security Information](https://www.dext.com/uk/security)

### 3.9 123-Reg Passkeys

123-Reg supports passkeys as a secure authentication factor for domain and hosting
management.

Key characteristics:

- Offered as a strong MFA option
- Protects high-risk DNS and domain transfer actions
- Reduces reliance on [SMS-based authentication](https://www.corbado.com/faq/sms-based-authentication-explained)

[123-Reg Security Centre](https://www.123-reg.co.uk/support/security/)

### 3.10 ASOS Passkeys

ASOS has been testing biometric and passkey-adjacent authentication flows, primarily on
mobile.

Key characteristics:

- Partial rollout focused on mobile app experiences
- Frequently cited in regional [passkey adoption](https://www.corbado.com/blog/passkey-adoption-business-case)
  directories
- Likely precursor to full [FIDO2](https://www.corbado.com/glossary/fido2) passkey deployment
- Focus on checkout and account protection

[ASOS App Security Updates](https://www.asos.com/customer-care/)

### 3.11 CPOMS Passkeys

CPOMS uses passkeys to protect access to highly sensitive safeguarding and
child-protection data.

Key characteristics:

- High-assurance authentication for education professionals
- Reduces risk from credential sharing
- Designed for regulated, sensitive environments

[CPOMS Security Information](https://www.cpoms.co.uk/security/)

### 3.12 ePayslips Passkeys

ePayslips has integrated passkeys to protect employee payroll and HR data.

Key characteristics:

- Secure employee access without password reuse
- Privacy-preserving authentication model
- Supports compliance-driven security requirements

[ePayslips Product & Security](https://www.epayslips.com/)

## 4. The UK Regulatory and Policy Environment is leaning towards Passkeys

The UK does not currently _mandate Passkeys_ outright. However, several regulatory and
policy forces create a strong baseline expectation for modern authentication and, they
increasingly reward phishing-resistant approaches. In practice, this means many UK
organisations are being pushed to rethink logins and
[step-up authentication](https://www.corbado.com/glossary/step-up-authentication) with multi factor
authentication, especially where fraud risk is high (payments, account access, sensitive
changes) and where user experience cannot afford constant friction.

**Two drivers stand out in particular:**

- National security guidance from the
  [National Cyber Security Centre](https://www.corbado.com/blog/ncsc-passkeys) (NCSC) and
- [Strong Customer Authentication](https://www.corbado.com/faq/sca-psd2-importance) (SCA) rules overseen by the
  Financial Conduct Authority (FCA) that shape how [payments](https://www.corbado.com/passkeys-for-payment) and
  account access are secured.

### 4.1 NCSC Guidance: the UK’s Expectations for phishing-resistant MFA

For most UK organisations, the [NCSC](https://www.corbado.com/blog/ncsc-passkeys) functions as the reference
point for what “good” security looks like in the real world. This is especially true for
authentication, where the [NCSC](https://www.corbado.com/blog/ncsc-passkeys) is explicit that not all MFA methods
provide the same protection. In its guidance on recommended MFA types, the
[NCSC](https://www.corbado.com/blog/ncsc-passkeys) highlights **FIDO2 MFA aka Passkeys** as offering **guessing
resistance, phishing resistance, and theft resistance**.

That distinction matters because many widely used MFA options primarily defend against
password guessing, while remaining vulnerable to modern social engineering. The NCSC’s
broader MFA guidance explains why organisations should choose controls based on real
attacker behaviour, rather than treating “any MFA” as automatically sufficient.

The UK’s passkey conversation is also shaped by the NCSC’s public position that passkeys
are a clear step forward, while still having practical adoption challenges to solve across
usability, deployment patterns, and recovery.

### 4.2 Strong Customer Authentication: PSD2 in the UK and FCA Enforcement

[Strong Customer Authentication](https://www.corbado.com/faq/sca-psd2-importance) (SCA) is one of the most
consequential regulatory levers for authentication in the UK, because it directly affects
how customers access accounts and approve many electronic
[payments](https://www.corbado.com/passkeys-for-payment). In the UK, SCA sits within the
[Payment](https://www.corbado.com/passkeys-for-payment) Services Regulations framework (which implemented
[PSD2](https://www.corbado.com/blog/psd2-passkeys)) and is overseen by the FCA. Although described in a UK
regulatory context, these SCA requirements are substantively the same as the
[PSD2](https://www.corbado.com/blog/psd2-passkeys) SCA rules applied across all EU member states.

At a high level, SCA requires authentication based on **two or more independent factors**
drawn from three categories:

- **Knowledge:** something only the user knows
- **Possession:** something only the user possesses
- **Inherence:** something the user is

This definition, including the requirement that the factors are independent (so that
compromising one does not compromise the other), is captured in UK industry guidance and
FAQs used by [payment](https://www.corbado.com/passkeys-for-payment) and [banking](https://www.corbado.com/passkeys-for-banking)
[stakeholders](https://www.corbado.com/blog/passkeys-stakeholder).

#### 4.2.1 SCA in E-commerce Payments

While SCA-related rules have applied in the UK since 14 September 2019, one of the most
important moments for consumers and [merchants](https://www.corbado.com/glossary/merchant) was the move to full
compliance for [e-commerce](https://www.corbado.com/passkeys-for-e-commerce) card transactions. The FCA extended
the deadline for [e-commerce](https://www.corbado.com/passkeys-for-e-commerce) SCA implementation to 14
March 2022.

This timeline matters because it explains why authentication UX has become a commercial
issue in the UK. SCA improves [payment](https://www.corbado.com/passkeys-for-payment) security, but it also
introduces friction if implemented with clunky or failure-prone step-up methods. The
result is that UK organisations have been actively searching for approaches that can
satisfy strong authentication requirements without turning checkout and sign-in into
conversion bottlenecks.

### 4.3 “Cyber Essentials” as practical Compliance Pressure

Beyond regulated finance, one of the most practical factors for stronger authentication in
the UK is [**Cyber Essentials**](https://www.ncsc.gov.uk/cyberessentials/overview), a
widely used baseline for organisational cyber hygiene. For many companies (and especially
SMEs), it’s a requirement for doing business, winning tenders, or meeting supplier due
diligence expectations.

What matters for passkeys is that the Cyber Essentials requirements are explicit about
**where MFA should be used** and how organisations should think about MFA quality. In the
[current requirements for IT infrastructure **v3.2**](https://www.ncsc.gov.uk/files/cyber-essentials-requirements-for-it-infrastructure-v3-2.pdf),
MFA is positioned as a key control for protecting accounts, particularly where access is
possible from the internet or where cloud services are involved. The document also notes
that [**SMS is not the most secure MFA method**](https://www.corbado.com/blog/sms-costs)
and recommends using stronger alternatives where feasible.

### 4.4 Digital Identity Trust Framework (DIATF): What it means for Passkeys

In parallel to One Login (UK [government's](https://www.corbado.com/passkeys-for-public-sector) unified digital
identity and [single sign-on](https://www.corbado.com/blog/passkeys-single-sign-on-sso) system), the UK has been
building the broader rulebook for [digital identity](https://www.corbado.com/blog/digital-identity-guide)
ecosystems: the **UK Digital Identity and Attributes Trust Framework (DIATF)**. This
matters because passkeys become much more powerful when they can sit inside trustworthy,
interoperable identity journeys, for example where services rely on verified attributes
(age, right to work) and consistent assurance expectations.

A key UK-specific milestone is that the DIATF **gamma** version came into force on 1
December 2025 and is described as the **first statutory**
[trust framework](https://www.corbado.com/glossary/trust-framework) for Digital Verification Services under the
**Data (Use and Access) Act 2025**. This is an important “institutional signal”: the UK is
formalising the governance model around it.

At a practical level, DIATF sets expectations for how different actors in the ecosystem
operate, for example:

- **Identity verification providers:** how a person’s identity is checked and what quality
  controls apply
- **Attribute providers:** how verified attributes are handled, shared, and governed
- **Wallet / holder services:** how users manage credentials and recovery safely
- **Interoperability and oversight:** how trust is maintained across multiple providers
  without relying on a single central database

This framework is one reason the UK discussion about passkeys quickly moves beyond “login
convenience” and into questions of assurance, recovery, and how cryptographic credentials
fit into a wider digital trust architecture.

## 5. Financial Sector Adoption

The UK financial sector is one of the most natural early adopters of passkeys. Few
industries combine such a high fraud incentive with such strict expectations around
authentication quality and user protection. At the same time, UK consumers are already
used to increase security in [banking](https://www.corbado.com/passkeys-for-banking), which makes the sector a
practical proving ground for authentication methods that can be both stronger and simpler.

### 5.1 Why UK Finance is a natural early Adopter

UK Finance’s latest figures highlight fraud at national scale, and the attack volume
remains extremely high. That makes authentication quality a front-line control for UK
[financial services](https://www.corbado.com/passkeys-for-banking), not a back-office detail.

A few UK-specific patterns make authentication quality especially important:

- **Remote purchase fraud remains a major loss category**,
  [reaching **£399.6 million** in **2024**](https://www.ukfinance.org.uk/system/files/2025-05/UK%20Finance%20Annual%20Fraud%20report%202025.pdf).
- **The industry**
  [**prevented £1.45 billion of unauthorized fraud**](https://www.rsmuk.com/news/fraud-cases-jump-as-fraudsters-evolve-at-an-unprecedented-speed),
  described as the equivalent of **67p in every £1** attempted being stopped without a
  loss occurring.
- **Telephone banking fraud is still heavily driven by social engineering**, and UK
  Finance explicitly notes social engineering as the main driver in this category.

Against this backdrop, passkeys are compelling because they make classic phishing and
credential replay materially harder. That is directly aligned with the fraud mechanisms
the UK is seeing at scale.

### 5.2 Neobanks and digital-first banks: UX-led rollout

#### 5.2.1 Revolut’s Passkey Strategy in the Context of UK Expansion

UK digital-first banks and fintechs tend to move earlier because they can iterate quickly
and because their customers often live in mobile-first flows already.
[Revolut](https://www.corbado.com/blog/revolut-passkeys) is a well-known example: it has rolled out passkeys for
Personal and Business accounts, positioning passkeys as a practical alternative to
passwords in day-to-day sign-in.

This is also happening in a broader context of [Revolut](https://www.corbado.com/blog/revolut-passkeys)’s UK
expansion. Revolut announced it received a UK banking licence with restrictions on 25 July
2024 and entered the PRA “mobilisation” stage. That matters because passkeys fit naturally
into the direction of [travel](https://www.corbado.com/passkeys-for-travel) for a challenger bank that wants to
scale digital trust while keeping sign-in friction low.

#### 5.2.2 Wise’s Passkey Model for Secure Account Actions

A second UK-relevant example is Wise. Wise documents how users can set up and manage
passkeys and states that once set up, **passkeys become the default 2-step verification
method** for the account. This is a strong pattern for finance: passkeys are not only a
“login convenience feature”, but they can also become the default step-up method for
sensitive actions.

### 5.3 Incumbent banks: scaling passkeys safely

For large incumbent banks, the opportunity is enormous, but so is the complexity. Most
high street banks already operate mature device-based security models, including security
codes and dedicated “secure key” style approaches in digital banking. HSBC, for example,
documents its use of a Digital Secure Key and security codes as an extra layer for online
banking transactions.

That existing posture shapes how passkeys enter the picture. In practice, incumbents tend
to evaluate passkeys through questions like:

- How to introduce passkeys without disrupting established risk controls and customer
  journeys
- How to support a transition period where multiple sign-in methods must coexist
- How to avoid shifting risk from login to weaker recovery paths (a recurring theme in
  national guidance, and a practical concern for banks)

This is why, in the UK, financial [passkey adoption](https://www.corbado.com/blog/passkey-adoption-business-case)
is best understood as a multi-stage transition. Neobanks can move fast, while incumbents
are usually optimising for a safe migration at national scale.

### 5.4 Payment Providers and Fintech Infrastructure

Payment providers play an outsized role in making passkeys real for consumers, because
they cover login, checkout, and account security. A particularly clear UK milestone was
[PayPal](https://www.corbado.com/blog/paypal-passkeys)’s expansion of passkeys to users in the UK on 27
June 2023.

This matters for the UK market for two reasons:

1. It increases public familiarity with passkeys outside of tech-native contexts.
2. It reinforces the idea that passkeys can reduce friction in high-frequency, high-risk
   flows, which is exactly the pressure point for payments.

Alongside these brands, fintech platforms like Wise contribute to normalizing passkeys as
part of a modern security baseline, especially when passkeys become the default method for
step-up verification.

## 6. Government and public Services: Passkeys for citizens

In the UK, public services are doing something uniquely powerful for passkey adoption:
they are teaching [passkeys at scale](https://www.corbado.com/blog/introducing-passkeys-large-scale-overview).
When millions of people encounter passkeys in government and healthcare journeys, passkeys
stop feeling like a “tech feature” and start feeling like a normal way to sign in. The
result is a flywheel: familiarity increases, expectations rise, and private-sector
rollouts face less user friction.

### 6.1 GOV.UK One Login: Moving away from passwords

GOV.UK One Login is designed to be the single way for people to sign in and prove their
identity when using government services online. As of January 2026, GDS stated that **over
13 million** people have used it to access **more than 120** services.

What makes this especially relevant for passkeys is that One Login has publicly put
**Passkeys** on its roadmap as a sign-in capability, describing the goal as letting users
sign in with a biometric fingerprint or face scan instead of entering a password. This is
a strong signal that passkeys are being treated as a first-class authentication method for
citizen-scale services, not just an optional add-on.

A major milestone for national adoption is the integration of high-volume services. On 9
February 2026, HMRC announced that new customers registering for HMRC digital services can
sign up using GOV.UK One Login, creating an account with an email address and password
rather than a **10–12 digit** Government Gateway ID. HMRC also frames One Login as the
future single way to access government services online, from tax to passports to voter
registration.

GDS also emphasizes that trust and privacy are foundational, including that only minimum
necessary data is collected and that there is no central database linking user information
across government. This is part of why passkeys are such a natural fit for public
services: the authentication method can improve phishing resistance without requiring
citizens to manage more secrets or security codes.

### 6.2 NHS Login: Passkeys in Healthcare at Scale

Healthcare access is one of the clearest examples of why the UK’s passkey story is not
just about convenience. NHS Login explicitly positions passkeys as a secure alternative to
passwords and states that passkeys provide the strongest protection against phishing and
hacking attempts.

From a rollout perspective, the NHS Login help centre is also a good example for what
passkey support at scale looks like in practice:

- NHS Login tells users they can log in using fingerprint, face, PIN, passcode, or
  pattern, depending on how they unlock their device.
- It explicitly supports multi-device patterns, noting that users can have **multiple
  passkeys** set up on different devices.
- It documents cross-device setup via QR codes and supports Windows flows via
  [Windows Hello](https://www.corbado.com/glossary/windows-hello) or an external
  [security key](https://www.corbado.com/glossary/security-key).
- It also makes a clear privacy statement: the passkey is stored on the user’s device and
  cannot be seen or accessed by NHS login.

This combination (clear user guidance, multi-device support, and explicit recovery
information) is exactly what makes [public-sector](https://www.corbado.com/passkeys-for-public-sector) passkey
deployments so influential. They teach users what passkeys are and what to expect, and
they set a usability baseline other services need to match.

### 6.3 Inclusivity and Accessibility Requirements

Government and healthcare authentication must work for everyone, including people with
older devices, limited digital confidence, or accessibility needs. That requirement shapes
how passkeys are introduced in the UK: typically as an upgrade path, not as an immediate
hard requirement.

You can see this in the focus on support and fallback mechanisms:

- The GOV.UK One Login roadmap includes a **back up two-factor authentication method** and
  flexible management of two-factor methods.
- HMRC’s announcement also points users who need extra help to contact support for
  assistance with their GOV.UK One Login.
- NHS Login explains device loss scenarios and notes that users can still log in using
  another device with a passkey, or use a password if they do not have another passkey set
  up.

The practical takeaway is that UK public services are building passkeys into systems that
must remain resilient under real-world constraints: device churn, lost phones, shared
devices, accessibility needs, and a wide range of user capabilities. That forces careful
design around recovery, support, and safe fallbacks, which is often where weaker passkey
implementations in other sectors struggle.

## 7. What UK institutions and experts are signalling

In the UK, passkey adoption is being pulled forward by institutions that each apply
pressure from a different angle: security doctrine, fraud economics, payments compliance,
and trust requirements. Together, they are converging on the same practical outcome:
phishing-resistant authentication is becoming the default expectation for high-trust
journeys.

**NCSC sets the quality bar for authentication**: The NCSC has made one point especially
clear: not all MFA is equal, and phishing resistance is the differentiator that matters in
real attacks. That framing gives security teams a strong basis to prioritise
[FIDO2](https://www.corbado.com/glossary/fido2)-style approaches and to treat recovery and rollout design as part
of the security model, not an afterthought.

**UK Finance makes the business case impossible to ignore**: Fraud is described as a
societal-scale problem, not a niche security issue. That makes authentication improvements
a board-level topic in many financial institutions, and it’s why solutions that reduce
phishing and account takeover without adding friction keep gaining momentum.

**FCA turned authentication UX into a compliance constraint:** SCA pushed strong
authentication deeper into everyday customer journeys, especially in payments and
checkout. The implication is simple: if security controls create drop-off or failure
loops, they become commercially painful. That naturally increases appetite for approaches
that are both strong and low-friction.

**Ofcom raises the bar for trustworthy user journeys**: As online safety and age assurance
requirements grow, services need signals that are robust and usable for real people. This
doesn’t [mandate passkeys](https://www.corbado.com/blog/mandating-mfa) directly, but it reinforces the broader
direction: higher-trust digital interactions need better primitives, and
phishing-resistant authentication is one of them.

Taken together, the UK’s direction of [travel](https://www.corbado.com/passkeys-for-travel) is clear. The
remaining differentiator will be execution: consistent UX, inclusive support, and recovery
paths that do not quietly reintroduce the same old weaknesses.

## 8. Conclusion: The UK at a Tipping Point for Passkey Adoption

The UK’s transition toward passkeys is no longer hypothetical: persistent fraud pressure,
increasingly explicit expectations for phishing-resistant authentication, and
government-scale sign-in modernization are combining to make passkeys a mainstream
priority across sectors.

1. **What are passkeys and why do they matter for the UK?** Passkeys replace reusable
   secrets with phishing-resistant cryptographic credentials, which is crucial in the UK
   where authentication underpins high-trust journeys across banking, government, and
   healthcare.
2. **How is regulation and policy pushing change?** UK institutions are steadily raising
   the baseline toward phishing-resistant authentication, making stronger, simpler sign-in
   methods the practical destination for regulated and citizen-facing services.
3. **How far has implementation progressed across sectors?** Passkeys are already visible
   at national scale through [public-sector](https://www.corbado.com/passkeys-for-public-sector) platforms and
   are being reinforced by adoption in finance and large consumer services.
4. **What challenges remain to scale passkeys nationwide?** The biggest blockers are
   execution details, especially inconsistent UX and weak recovery flows that can quietly
   undermine phishing-resistant login.

## Frequently Asked Questions

### How do passkeys help UK organisations comply with Strong Customer Authentication (SCA) requirements?

Passkeys satisfy Strong Customer Authentication by combining possession (the device
holding the private key) and inherence (biometric unlock), meeting the two-factor
requirement under UK Payment Services Regulations enforced by the FCA. SCA for e-commerce
card transactions reached full compliance by 14 March 2022, and organisations that
deployed clunky step-up methods found them commercially damaging through checkout
drop-off. Passkeys address this directly by delivering strong authentication with low
friction, satisfying compliance without creating conversion bottlenecks.

### Why are UK neobanks adopting passkeys faster than incumbent high street banks?

UK neobanks like Revolut operate mobile-first platforms and can iterate quickly, allowing
them to deploy passkeys for both Personal and Business accounts as a practical replacement
for passwords in daily sign-in. Incumbent banks, by contrast, must manage a safe
transition where multiple sign-in methods coexist without shifting risk to weaker recovery
paths, since they already operate mature device-based security models with established
customer journeys. This makes passkey adoption in UK finance best understood as a
multi-stage transition rather than a single rollout.

### Which UK government services currently support passkeys and how widely are they used?

NHS Login already supports passkeys and explicitly states they provide the strongest
protection against phishing and hacking attempts, allowing users to set up multiple
passkeys across different devices with cross-device setup via QR codes. GOV.UK One Login,
which as of January 2026 serves over 13 million users across more than 120 services, has
publicly placed passkeys on its roadmap as a first-class sign-in capability. HMRC has also
announced that new customers registering for HMRC digital services can now sign up via
GOV.UK One Login, framing it as the future single access point for government services.

### What is the UK Digital Identity and Attributes Trust Framework (DIATF) and why does it matter for passkey deployments?

The DIATF gamma version came into force on 1 December 2025 as the first statutory trust
framework for Digital Verification Services under the Data (Use and Access) Act 2025,
formalising governance for identity verification providers, attribute providers and wallet
services. It sets interoperability and assurance expectations that make passkeys a natural
building block within high-trust identity journeys, particularly where services rely on
verified attributes such as age or right to work. This shifts the UK passkey conversation
beyond login convenience into questions of assurance levels, recovery design and how
cryptographic credentials fit a wider digital trust architecture.

### What are the main challenges to scaling passkeys across the UK and how are public-sector deployments addressing them?

The biggest blockers are inconsistent user experience and weak recovery flows that can
quietly reintroduce the vulnerabilities passkeys are designed to eliminate, particularly
when users lose devices or share them across household members. Public-sector deployments
like NHS Login address this by supporting multiple passkeys across different devices,
documenting QR code cross-device setup, providing explicit fallback to passwords when no
passkey is available and making clear that passkeys are stored on-device and cannot be
accessed by the service. GOV.UK One Login's roadmap also includes a backup two-factor
authentication method and flexible management of two-factor options to accommodate older
devices, accessibility needs and varying levels of digital confidence.